(RADIATOR) Question about Radiator Support.
Ricardo Martinez
rmartinez at redvoiss.net
Wed Jan 4 15:13:13 CST 2006
Hello.
Regarding to this issue. i installed Radiator Version 3.13. I even
installed the perl-MD4 support as Martin pointed, i used the dictionary.sip,
but still my Radiator can't "understand" the Digest attributes.
I'm going to explain again my situation, myabe with this new Radiator
version something can be done.
As i describe in my initial post. I'm using Raditor to authenticate my SIP
clients from my platform. My SIP Proxy send a Access-Request with this
format :
Attributes:
User-Name = <mailto:MA_1942430 at sip.domain.com>
MA_1942430 at sip.domain.com
Digest-Attributes = "<10><12>MA_1942430"
Digest-Attributes = "<1><20>sip.domain.com"
Digest-Attributes = "<2>*43bbf113b4aec1b2a41071f19acaa305bf258fe4"
Digest-Attributes = "<4><24>sip:sip.domain.com"
Digest-Attributes = "<3><10>REGISTER"
Digest-Attributes = "<5><6>auth"
Digest-Attributes = "<9><10>00000097"
Digest-Attributes = "<8><10>34e3d02f"
Digest-Response = "f9a8677c3550372a09a8685cc76c4ec7"
Service-Type = Sip-Session
Sip-Uri-User = "559100001027"
NAS-IP-Address = 100.100.100.35
NAS-Port = 5060
This radius request has several "Digest-Attributes" attributes, these digest
attributes are according to the "draft-sterman-aaa-sip-00". Digest
authentication attributes are encoded as sub-attributes into a single RADIUS
attribute (Digest-Attributes).
So, as i comment in my original post, i can handle this using a
preClientHook, and works ok. This is what i have
PreClientHook file:"/usr/src/radiusd/Radiator-3.13/goodies/digest.pl"
and then if i want to match according to the Digest-Method i use a handler
like :
<Handler Digest-Method=REGISTER>
And the request match ok.
So far so good, but as Hugh mention :
"Sent: Friday, June 03, 2005 6:34 PM
Subject: Re: (RADIATOR) Question about Radiator Support.
>
> Hello Ricardo -
>
> Further to this, I didn't make it clear that if you define your
> dictionaries like this (in recent versions of Radiator):
>
> DictionaryFile %D/dictionary, %D/dictionary.sip
>
> SIP authentication will work automatically without requiring hooks or
> whatever.
>
> The most recent version is Radiator 3.13.
>
> regards
>
> Hugh
"
I even read the dictionary.sip included in the 3.13 version:
+++++++++++++++++++++++++++++++++++++++++++++++++++++
# This is a specialised dictionary for recognising
# SIP radius attritbues as described in draft-sterman-aaa-sip-00.txt
# They are included in this spearate dictionary because they conflict with
# other common and standard attributes.
# They override attribues 206 Ascend-Menu-Item and 207 Ascend-PW-Warntime
# in the standard dictionary.
# Author: Mike McCauley mikem at open.com.au <mailto:mikem at open.com.au>
# $Id: dictionary.sip,v 1.2 2003/01/02 11:21:07 mikem Exp $
+++++++++++++++++++++++++++++++++++++++++++++++++++++
So i was expecting that with this new dictionary maybe the Digest-Attrubutes
could be parsed ok. But this is what i obtain (removing my preClientHook)
Wed Jan 4 15:52:19 2006: DEBUG: Handling request with Handler ' '
The attribute Digest-Attributes = "<3><10>REGISTER" seems not to be parsed
to Digest-Method="REGISTER" and then the match with the HANDLER fails.
So, what i'm doing wrong?
Does Radiator supports this kind of attributes?
I'm attaching my radius.cfg :
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LogStdout
DbDir /usr/src/radiusd/Radiator-3.13
LogDir /var/log/radiator
LogFile %L/logfile_radius_auth_ser
PidFile %L/radiusd_radius_auth_ser.pid
AuthPort 1647
AcctPort
DictionaryFile %D/dictionary, %D/dictionary.sip
# This will log at DEBUG level: very verbose
# User a lower trace level in production systems, typically use 3
Trace 5
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with. This will work
# at least with radpwtst running on the local machine
#PreClientHook file:"/usr/src/radiusd/Radiator-3.13/goodies/digest.pl"
....client part removed
# Authentication LOG profile, %L is replaced by LogDir above.
<AuthLog FILE>
Identifier AUTH_SIP_LOG
Filename %L/auth/sip/auth_%{Digest-Method}_log
LogSuccess 1
LogFailure 1
# FORMAT
Time,User-Name,User,Realm,Nonce,Uri,Method,qop,Nonce-count,Cnonce,Nonce-Resp
onse,Service-Type,SIP-Uri-User,NAS-IP-A
ddress,MessageSeverity,Reason,OK/FAIL
SuccessFormat
%l,%{User-Name},%{Digest-User},%{Digest-Realm},%{Digest-Nonce},%{Digest-Uri}
,%{Digest-Method},%{Digest-qop},%{
Digest-Nonce-count},%{Digest-Cnonce},%{Digest-Response},%{Service-Type},%{Si
p-Uri-User},%{NAS-IP-Address},%0,%1:OK
FailureFormat
%l,%{User-Name},%{Digest-User},%{Digest-Realm},%{Digest-Nonce},%{Digest-Uri}
,%{Digest-Method},%{Digest-qop},%{
Digest-Nonce-count},%{Digest-Cnonce},%{Digest-Response},%{Service-Type},%{Si
p-Uri-User},%{NAS-IP-Address},%0,%1:FAIL
</AuthLog>
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
# HANDLER PARA USUARIOS DE PREPAGO (ADAPTADORES)
#
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<Handler Digest-Method=REGISTER>
# Se agrega el AuthByPolicy para manejar los Timeout de la Base de
Datos.
AuthByPolicy ContinueWhileIgnore
<AuthBy SQL>
DBSource dbi:Oracle:*******
DBUsername *****
DBAuth *****
NoDefault
AuthSelect select *************
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, NAS-Port-Type, reply
</AuthBy>
<AuthBy INTERNAL>
DefaultResult REJECT
</AuthBy>
# Log authentication to a detail file.
AuthLog AUTH_SIP_LOG
</Handler>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
More information about sterman-aaa-sip in :
http://www.watersprings.org/pub/id/draft-sterman-aaa-sip-00.txt
<http://www.watersprings.org/pub/id/draft-sterman-aaa-sip-00.txt>
I really hope that someone can help me here!
Thanks!
Ricardo Martinez.-
-----Mensaje original-----
De: Martin Wallner [mailto:Martin.Wallner at eunet.co.at]
Enviado el: Jueves, 29 de Diciembre de 2005 21:58
Para: Rosario Pingaro; Hugh Irvine
CC: radiator at open.com.au
Asunto: AW: (RADIATOR) Question about Radiator Support.
I might be TOTALLY on the wrong track here, but sometimes perl-MD4 Support
is not installed/missing (and that one is used for MSCHAP)... That can bring
the funniest effects....
Martin
_____
Von: owner-radiator at open.com.au im Auftrag von Rosario Pingaro
Gesendet: Do 29.12.2005 23:02
An: Hugh Irvine
Cc: radiator at open.com.au
Betreff: Re: (RADIATOR) Question about Radiator Support.
we are experiencing the same problem.
Radiator is the latest 3.13 patched.
I have couppled my dictionary with the sip one like Hugh described some time
Before, but I am not able to let Radiator decoding the Digest-Attribute:
Attributes:
User-Name = "rpingar at voip.convergenze.it"
Digest-Attributes = "<10><9>rpingar"
Digest-Attributes = "<1><21>voip.convergenze.it"
Digest-Attributes = "<2>*43b45a051b018d59f1ccf21927c56cb5f3b7eabe"
Digest-Attributes = "<4><25>sip:voip.convergenze.it"
Digest-Attributes = "<3><10>REGISTER"
Digest-Response = "e8b688341619b901e17713acec847ff1"
Service-Type = IAPP-Register
SIP-URI-User = "rpingar"
NAS-Port = 5060
This is the dictionary from the radiusclient:
#### Attributes ###
ATTRIBUTE User-Name 1 string # RFC2865, acc,
auth_radius, avp_radius, group_radius, uri_radius
ATTRIBUTE NAS-Port 5 integer
ATTRIBUTE Service-Type 6 integer # RFC2865, acc,
auth_radius, avp_radius, group_radius, uri_radius
ATTRIBUTE Called-Station-Id 30 string # RFC2865, acc
ATTRIBUTE Calling-Station-Id 31 string # RFC2865, acc
ATTRIBUTE Acct-Status-Type 40 integer # RFC2865, acc
ATTRIBUTE Acct-Session-Id 44 string # RFC2865, acc
ATTRIBUTE Sip-Method 101 integer # Schulzrinne, acc
ATTRIBUTE Sip-Response-Code 102 integer # Schulzrinne, acc
ATTRIBUTE Sip-Cseq 103 string # Schulzrinne, acc
ATTRIBUTE Sip-To-Tag 104 string # Schulzrinne, acc
ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc
ATTRIBUTE Sip-Translated-Request-URI 107 string # Proprietary, acc
ATTRIBUTE Digest-Response 206 string # Sterman,
auth_radius
ATTRIBUTE Sip-Uri-User 208 string # Proprietary,
auth_radius
ATTRIBUTE Sip-Group 211 string # Proprietary,
group_radius
ATTRIBUTE Sip-Rpid 213 string # Proprietary,
auth_radius
ATTRIBUTE SIP-AVP 225 string # Proprietary,
avp_radius
ATTRIBUTE Digest-Realm 1063 string # Sterman,
auth_radius
ATTRIBUTE Digest-Nonce 1064 string # Sterman,
auth_radius
ATTRIBUTE Digest-Method 1065 string # Sterman,
auth_radius
ATTRIBUTE Digest-URI 1066 string # Sterman,
auth_radius
ATTRIBUTE Digest-QOP 1067 string # Sterman,
auth_radius
ATTRIBUTE Digest-Algorithm 1068 string # Sterman,
auth_radius
ATTRIBUTE Digest-Body-Digest 1069 string # Sterman,
auth_radius
ATTRIBUTE Digest-CNonce 1070 string # Sterman,
auth_radius
ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman,
auth_radius
ATTRIBUTE Digest-User-Name 1072 string # Sterman,
auth_radius
Seems that what you call attribute 207, has from the client point of view
different attributes, from 1063 to 1072
Howto deal with this strange situation?
Thanks
Rosario
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Ricardo Martinez" <rmartinez at redvoiss.net>
Cc: <radiator at open.com.au>
Sent: Friday, June 03, 2005 6:34 PM
Subject: Re: (RADIATOR) Question about Radiator Support.
>
> Hello Ricardo -
>
> Further to this, I didn't make it clear that if you define your
> dictionaries like this (in recent versions of Radiator):
>
> DictionaryFile %D/dictionary, %D/dictionary.sip
>
> SIP authentication will work automatically without requiring hooks or
> whatever.
>
> The most recent version is Radiator 3.13.
>
> regards
>
> Hugh
>
>
> On 3 Jun 2005, at 16:07, Hugh Irvine wrote:
>
>>
>> Hello Ricardo -
>>
>> On this same topic - see the file "dictionary.sip" in the Radiator 3.13
>> distribution.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 3 Jun 2005, at 05:32, Ricardo Martinez wrote:
>>
>>
>>> Hello list.
>>> I'm using SER (Sip Express Router) to provide SIP services, and
>>> also
>>> i'm using Radiator 3.9 to my AAA services.
>>> SER send to my radius server a authentication message like this :
>>>
>>> Attributes:
>>> User-Name = "user1 at mydomain.com"
>>> Digest-Attributes = "<10><10>user1"
>>> Digest-Attributes = "<1><23>mydomain.com"
>>> Digest-Attributes = "<2>*429f5a94dfac500699b5465aae863a390d5ebd92"
>>> Digest-Attributes = "<4>&sip:1234567 at mydomain.com"
>>> Digest-Attributes = "<3><10>REGISTER"
>>> Digest-Attributes = "<5><6>auth"
>>> Digest-Attributes = "<9><10>00000037"
>>> Digest-Attributes = "<8><10>dbb06da4"
>>> Digest-Response = "08525b9e17e0ed25fccc61b104ff9e20"
>>> Service-Type = Sip-Session
>>> Sip-Uri-User = "1234567"
>>> NAS-IP-Address = 10.1.1.3
>>> NAS-Port = 5060
>>>
>>> As you can see I have different's Digest-Attributes with different
>>> values.
>>> It suppose that these Digest-Attributes must be parsed to Digest- Uri ,
>>> Digest-Realm, Digest-Nonce, etc...but RADIATOR seems not to be doing
>>> anything about it.
>>> Well. A long time ago asking in this mailing list Hugh told me that i
>>> need
>>> to run a preClientHook and parse by myself this attributes... well
>>> that's
>>> what i'm doing now and it is working.
>>> What i found out recently is that, for example FreeRadius Server
>>> recognize
>>> this attributes and do the conversion by itself. So i0m wondering if
>>> Radiator has maybe now a support for this type of message, i think that
>>> is
>>> the draft "draft-sterman-aaa-sip-00".
>>>
>>> I hope that somone could give me a hand here
>>> Thanks in advace.
>>>
>>> Regards,
>>>
>>> Ricardo Martinez.-
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
<http://www.open.com.au/archives/radiator/>
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/
>> archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
<http://www.open.com.au/archives/radiator/>
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
<http://www.open.com.au/archives/radiator/>
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
--
Archive at http://www.open.com.au/archives/radiator/
<http://www.open.com.au/archives/radiator/>
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060104/34f95c9c/attachment.html>
More information about the radiator
mailing list